Once opened, the decoy document triggers a“CVE-2017-0262” vulnerability in the EPS filter in Microsoft Office. In this case, the malicious EPS file is called “image1.eps” which is present in the .docx file,as shown in Figure 1

Figure 1

The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in “restore” operand.

Upon code execution, a shellcode gets loaded that retrieves some Windows APIs such as:-

NtAllocateVirtualMemory

NtFreeVirtualMemory and

ZwProtectVirtualMemory

Image1.eps carries both Shellcode and payload as shown in Figure 2,3and 4:

Figure 2(Shellcode in hex byte)

Figure 3(Post script use to run shellocde in memory)

Figure 4(Payload in post script)

Dynamic Analysis

The exploit arrives as a malicious MS Word document. On opening the document the exploit is executed and the decoy document gets opened as shown in Figure 5

In addition to this, a number of parallel background activities are performed on the victim’s system. A file named “b12c.exe” gets dropped in the TEMP Location, as shown in Figure 6.

Note that all this execution happens within the WINWORD.EXE process running with the current user’s privileges.

Figure 6

The other activities on the victim’s system include the following:-
Installs hooks/patches the running process

The dropped file, “b12c.exe” also starts a child process named “OGLCache.exe”, as shown in

b12c.exe copies itself to “%appdata%/AMD/OGLCache.exe”, where “AMD” is a new directory created by b12c.exe.

Command executed to create folder and copy itself inside the folder as show in Figure 7

/c copy “%APPDATA%\AMD\OGLCache.exe+” “%APPDATA%\AMD\OGLCache.exe”

Once copied,“b12c.exe” terminates itself and child process “OGLCache.exe” works as the parent process as shown in Figure 8

OGLCache.exe is then used to change the personalised settings of the system. Once the user restarts or powers on the system, OGLCache.exe starts to reconfigure the system as shown in Figure 9

This reconfiguration runs as an infinite loop and the user is unable to access the system. On every restart Personalized Settings starts as the malware also makes entries in the Registry to remain persistent across reboots.

The malware also checks the CPU name from registry, possibly as an anti-virtualization measure as shown inFigure 10

Indicators of Compromise (IoC)

Filename

6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490.bin

Size

251,036 Bytes

MD5

2ABE3CC4BFF46455A945D56C27E9FB45

SHA1

0BD354D1EEA9E4864F4C17E6C22BFDB81D88DDEE

SHA256

6785E29698444243677300DB6A0C519909AE9E620D575E76D9BE4862B33ED490

Filename

b12c .exe(Trojan.Generic)

Size

308740 bytes

MD5

fcb719e28da41dd7443017eb1f456ff3

SHA1

cc1e37fc84fe746523a1413989fb29a9e72d12c9

SHA256

2b2668fa5331ffa99fc11d881fbce91927bfac1a8ec5705b6412c7903543116a

Precautions

At the time of Restart or power on, if the user is presented a pop-up as shown in Figure 9, carry out the following:-

Do a hard power-off (pull the power cord or a long press on the power-on button).